fix Potential file inclusion via variable (#2523)

Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>

pkg/kyverno/apply/apply_command.go

@@ -204,7 +204,9 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool,
 	// empty the previous contents of the file just in case if the file already existed before with some content(so as to perform overwrites)
 	// the truncation of files for the case when mutateLogPath is dir, is handled under pkg/kyverno/apply/common.go
 	if !mutateLogPathIsDir && mutateLogPath != "" {
+		mutateLogPath = filepath.Clean(mutateLogPath)
 		_, err := os.OpenFile(mutateLogPath, os.O_TRUNC|os.O_WRONLY, 0600)
+
 		if err != nil {
 			if !sanitizederror.IsErrorSanitized(err) {
 				return rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to truncate the existing file at "+mutateLogPath, err)
@@ -374,7 +376,9 @@ func createFileOrFolder(mutateLogPath string, mutateLogPathIsDir bool) error {
 					}
 				}
 
+				mutateLogPath = filepath.Clean(mutateLogPath)
 				file, err := os.OpenFile(mutateLogPath, os.O_RDONLY|os.O_CREATE, 0600)
+
 				if err != nil {
 					return sanitizederror.NewWithError(fmt.Sprintf("failed to create file"), err)
 				}

pkg/kyverno/common/common.go

@@ -139,6 +139,7 @@ func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, errors []error)
 					continue
 				}
 			} else {
+				path = filepath.Clean(path)
 				fileBytes, err = ioutil.ReadFile(path)
 				if err != nil {
 					err := fmt.Errorf("failed to process %v: %v", path, err.Error())
@@ -649,6 +650,7 @@ func PrintMutatedOutput(mutateLogPath string, mutateLogPathIsDir bool, yaml stri
 	var err error
 	yaml = yaml + ("\n---\n\n")
 
+	mutateLogPath = filepath.Clean(mutateLogPath)
 	if !mutateLogPathIsDir {
 		// truncation for the case when mutateLogPath is a file (not a directory) is handled under pkg/kyverno/apply/test_command.go
 		f, err = os.OpenFile(mutateLogPath, os.O_APPEND|os.O_WRONLY, 0600)

pkg/kyverno/common/fetch.go

@@ -236,6 +236,7 @@ func getFileBytes(path string) ([]byte, error) {
 			return nil, err
 		}
 	} else {
+		path = filepath.Clean(path)
 		file, err = ioutil.ReadFile(path)
 		if err != nil {
 			return nil, err

pkg/testrunner/scenario.go

@@ -3,7 +3,6 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
-	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	"os"
 	ospath "path"
@@ -11,6 +10,11 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
+	"path"
+	"runtime"
+
 	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/engine"
@@ -22,8 +26,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	apiyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes/scheme"
-	"path"
-	"runtime"
 )
 
 type Scenario struct {
@@ -116,6 +118,7 @@ func loadFile(t *testing.T, path string) ([]byte, error) {
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return nil, err
 	}
+	path = filepath.Clean(path)
 	return ioutil.ReadFile(path)
 }
 

pkg/testrunner/utils.go

@@ -3,6 +3,7 @@ package testrunner
 import (
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -13,6 +14,7 @@ func LoadFile(path string) ([]byte, error) {
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return nil, err
 	}
+	path = filepath.Clean(path)
 	return ioutil.ReadFile(path)
 }
 

pkg/webhookconfig/common.go

@@ -2,6 +2,7 @@ package webhookconfig
 
 import (
 	"io/ioutil"
+	"path/filepath"
 	"reflect"
 
 	"github.com/kyverno/kyverno/pkg/config"
@@ -42,6 +43,7 @@ func extractCA(config *rest.Config) (result []byte) {
 	fileName := config.TLSClientConfig.CAFile
 
 	if fileName != "" {
+		fileName = filepath.Clean(fileName)
 		result, err := ioutil.ReadFile(fileName)
 
 		if err != nil {